Email hacking for hire going mainstream – part three

Just as we anticipated on two occasions in 2012, managed email hacking for hire services continue popping-up at publicly accessible cybercrime-friendly communities, a trend that’s largely driven by the demand for such services by unethical competition, “friends”, or current/ex-spouses.

Often pitched as “forgotten password recovery” services, they rely on social engineering, brute-forcing, and spear phishing campaigns, often leading to a successful compromise of a targeted account. Based on the number of positive vouches, the services continue receiving a steady stream off satisfied and verified customers.

In this post, I’ll profile one of the most recently advertised email hacking for hire services, specializing in hacking GMail and Yahoo! accounts, as well as email accounts using popular free Russian email service providers. How much does it cost to hack a Gmail or Yahoo! account? What about corporate email?

Let’s find out.

Sample screenshot of the email hacking for hire service:

The service is also features a catchy video that pitches it’s core features to prospective buyers. What about the prices?

Sample pricing scheme of the email hacking for hire service, offering discounts if customers refer it to friends:

The prices are as follows:

Mail.ru,Bk.ru, Inbox.ru, List.ru – 3000 rubles ($100)

Yander, Rambler – 4000 rubles ($150)

Gmail, Googlemail – 7000 rubles ($230)

Yahoo! Mail – 10,000 rubles ($350)

The main problem about these services is that they often produce the promised results thanks to the victim-tailored spear phishing attempt. In comparison, it will be cost-ineffective for them to outsource the CAPTCHA-solving process when brute-forcing for popular passwords, a practice we believe is a thing from the past.

Today’s QA (Quality Assurance) minded cybercriminals tend to do their best to automatically and efficiently personalize their campaigns in an attempt to increase the probability of a successful malware infection/phishing lead. And while they sometimes manage to prepare a convincing email referencing you by username, perhaps even your full name — which they often obtain through harvesting for contacts on the PC of an infected friend of yours — this is where it all ends, at least for massive spamvertised campaigns.

This leads us to a situation where your “friends”, unethical competitors, suspicious/paranoid current/ex spouse will supply the service with crucial details about your personality ( from a social engineering perspective), details that will increase the probability of a successful account compromise. The worst part is that the data obtained from first-hand sources, such as people who know you, is indispensable compared to similar data which could be gathered by data mining social networks in an attempt to tailor a spear phishing campaign that’s exclusively targeting you.

Email users are advised to be extra cautions when receiving emails that suspiciously “know too much” about them, especially emails sent to them from impersonated parties who might have interest in compromising them, and to use two-factor authentication where applicable.